feat: Allow token to be sent on download

[BobLuursema]

When using Artifactory the registry is set to for example: https://my-company.example.org/artifactory/api/npm/my-npm. Authentication is mandatory in our setup. But the token will only be sent if the hostname matches with the value in the environment variable. This blocks the download since the variable also includes the path portion.

I am not sure how precise you want to be with this check. If needed I can also change it to parse out the hostname from the environment variable for a more secure check.

Fixes #733

In addition, I didn't see a test that checks this check. I can add it if you'd like.

[aduh95]

CI is failing, can you take a look?

[victor-perez]

I also created a fix for this problem in #743, which is a smaller change that only addresses the bug. This PR, on the other hand, also updates the way authentication is handled and adds some useful tests.

Maybe we can first fix the bug and then follow up with the overall improvements from this PR, since I see it still needs some test fixes.

It would be great if we could fix this bug quickly. After the Shai-Hulud attack, I expect more companies will move to registries that let them scan, block, and have more control over the packages being downloaded. These registries can also include paths.

[BobLuursema]

CI is failing, can you take a look?

Should be fixed now! I guess I copied something wrong over. The tests connect to the urls of Yarn and NPM, but they are blocked on my work laptop after the Shai-Hulud attack. So I need to juggle a bit to get the code working and into the PR 😅